Chapter 1 Section 4
Total Page:16
File Type:pdf, Size:1020Kb
SECTION 4: COMMERCIAL CYBER ESPIONAGE AND BARRIERS TO DIGITAL TRADE IN CHINA Introduction China causes increasing harm to the U.S. economy and security through two deliberate policies targeting the United States: coordi- nated, government-backed theft of information from a variety of U.S.-based commercial enterprises and widespread restrictions on content, standards, and commercial opportunities for U.S. busi- nesses. This section examines how hackers working for the Chinese government—or with the government’s support and encourage- ment—have infiltrated the computer networks of U.S. agencies, contractors, and companies, and stolen their trade secrets, includ- ing patented material, manufacturing processes, and other propri- etary information. The Chinese government has provided that pur- loined information to Chinese companies, including state-owned en- terprises (SOEs). The Chinese government also imposes heavy-handed censorship on Internet content and social media, which has driven from the Chinese market those U.S. companies unwilling to follow the au- thoritarian dictates of the government.* The Chinese government has also begun to censor material originating outside its borders by directing distributed denial of service (DDoS) attacks against U.S.- based information providers. In addition, Beijing has implemented discriminatory regulations and standards in China to limit the commercial opportunities for U.S. companies seeking to conduct le- gitimate business there. The United States is ill prepared to defend itself from cyber espi- onage when its adversary is determined, centrally coordinated, and technically sophisticated, as is the Chinese Communist Party (CCP) and government. The design of the Internet—developed in the United States to facilitate open communication between aca- demia and government, and eventually expanded to include com- mercial opportunities—leaves it particularly vulnerable to spies and thieves. As the largest and most web-dependent economy in the world, the United States is also the largest target for cyber es- pionage of commercial intellectual property (IP). ‘‘Well-resourced, advanced cyber threats that use sophisticated tactics, techniques and procedures are able to bypass [U.S.] conventional security de- ployments almost at-will,’’ according to Jen Weedon, manager of threat intelligence at FireEye, Inc., a cybersecurity firm. ‘‘American * The France-based watchdog group Reporters Without Borders ranked China 175 out of 180 countries in its 2014 worldwide Index of Press Freedom. Among the U.S.-based companies ex- cluded or heavily censored by China are Google, Facebook, Twitter, and Instagram. For more on Chinese censorship, see Beina Xu, ‘‘Media Censorship in China,’’ Council on Foreign Rela- tions, April 7, 2015. (192) VerDate Sep 11 2014 09:25 Nov 12, 2015 Jkt 094682 PO 00000 Frm 00204 Fmt 6601 Sfmt 6601 G:\GSDD\USCC\2015\FINAL\94682_R3.XXX 94682_R3 dkrause on DSKHT7XVN1PROD with USCC 193 companies are being forced to fight a battle against adversaries possessing nation-state capabilities, which is not a fair fight.’’ 1 These activities by China’s government were the subject of the Commission’s June 15 Hearing on Commercial Cyber Espionage and Barriers to Digital Trade in China, held shortly after the Of- fice of Personnel Management (OPM) revealed that its computer network experienced an intrusion apparently originating in China. This network breach resulted in the theft of personal information on more than 22 million federal employees, retirees, contractors, applicants for government jobs, and their contacts and families.* Some of the stolen files included SF–86 application forms, which contain detailed personal information of federal workers and con- tractors applying for security clearances.2 Cyber Espionage for Commercial and Strategic Advantage The Cost and Extent of Chinese Cyber Espionage The incidence of sophisticated cyber intrusions into U.S. govern- ment and private computer networks—particularly those involving ‘‘zero-day attacks’’ † and the exfiltration of large amounts of com- mercial data and personally identifiable information ‡—is on the in- crease. Cyber espionage for the purpose of commercial gains ‘‘pre- sents one of the most significant economic and national security challenges facing the United States,’’ according to Paul Tiao, a former Federal Bureau of Investigation (FBI) official who now is an attorney in private practice at Hunton & Williams in Washington, DC, and who testified before the Commission.3 The economic cost of cyber crime and espionage is estimated at $375 billion to $575 billion annually worldwide, or between 15 percent and 20 percent of the value created by the Internet, according to a 2014 study by Intel Corporation’s McAfee cybersecurity branch and the Center for Strategic and International Studies.4 The study estimates that cyber attacks against targets in the United States could result in a permanent reduction of as many as 200,000 U.S. jobs due to lost business income and expenses to repair the damage. The cost of de- fending against such attacks is also increasing. The global market for cybersecurity products and services is estimated to be $77 bil- lion in 2015—about the size of all the Federal Government’s public information technology (IT) spending budget—with spending grow- ing twice as fast as general spending on IT.5 The cost of individual cyber intrusions, which includes detection, repair, and remediation, has also been on the rise. A 2014 survey * For more information on China’s cyber espionage and related activities, see U.S.-China Eco- nomic and Security Review Commission, 2012 Annual Report to Congress, November 2012, and 2013 Annual Report to Congress, November 2013. † Zero-day attacks employ hacking techniques and malware tailored to a specific target rather than generic products available online, which can be detected through the use of commercially available cybersecurity software. ‡ Personally identifiable information can include name, Social Security number, passport num- ber, driver’s license number, taxpayer identification number, financial account or credit card number, banking information, address, date of birth, place of birth, religion, race, weight, activi- ties, employment and medical information, education, fingerprints, retinal scan, voice signature, facial geometry, photographic image, and travel records. Erika McCallister, Tim Grance, and Karen Scarfone, Guide to Protecting the Confidentiality of Personally Identifiable Information: Recommendations of the National Institute of Standards and Technology (Special Publication 800–122), National Institute of Standards and Technology, U.S. Department of Commerce, April 2010. VerDate Sep 11 2014 09:25 Nov 12, 2015 Jkt 094682 PO 00000 Frm 00205 Fmt 6601 Sfmt 6601 G:\GSDD\USCC\2015\FINAL\94682_R3.XXX 94682_R3 dkrause on DSKHT7XVN1PROD with USCC 194 of 59 large U.S. companies by the Ponemon Institute and Hewlett- Packard found the average annual cost of responding to commercial cyber attacks was $12.7 million, up 96 percent from the previous five years.6 During this period, the number of attacks against the 59 firms was up 176 percent, with an average of 138 successful at- tacks each week. The average time taken to detect an attack was 170 days, with an average of 45 days spent resolving the damage. The costs included detection, data recovery, loss of information, and business disruption.7 The cost of a network breach can impact a company in a variety of ways, according to Mr. Tiao. They include: • Loss of IP to a potential competitor that may be able to use it to develop and sell a competing product or to reduce research and development costs; • Reduced incentives for technological innovation by targeted companies; • Loss of confidential business-sensitive information that may, for example, be used by a company to underbid the victim for a lucrative contract or to undermine the victim’s strategy in business negotiations; • Opportunity costs in the form of service and employment dis- ruptions, lost sales and revenues, and reduced trust and use of online commercial activities; • Costs of securing networks, cyber insurance, and recovery from cyber attacks; • Legal fees associated with breach-related litigation and govern- ment enforcement actions; and • Reduced stock prices and reputational harm suffered by victim companies.8 Even companies that have not been victimized have substantial costs to subtract from their bottom lines, according to Mr. Tiao: Prior to an incident taking place, large companies devote extensive financial, staff, and consultant resources to keep- ing information security policies up to date, implementing technical network security programs, developing and exer- cising breach response plans, participating in public-pri- vate and private-private cybersecurity information sharing arrangements, negotiating the information security terms of third-party vendor agreements, ensuring that those vendors maintain adequate information security, and purchasing cyber security insurance, and training employees.9 Since at least 2009, China has directed ‘‘the single largest, most intensive foreign intelligence gathering effort since the Cold War,’’ according to cybersecurity firm Medius Research.10 The increased success rate for intrusions against U.S. companies is often attrib- uted to the presence of government-run or government-sponsored VerDate Sep 11 2014 09:25 Nov 12, 2015 Jkt 094682 PO 00000 Frm 00206 Fmt 6601 Sfmt 6601 G:\GSDD\USCC\2015\FINAL\94682_R3.XXX